Chloe Smith
Main Page: Chloe Smith (Conservative - Norwich North)Department Debates - View all Chloe Smith's debates with the Home Office
(9 years, 10 months ago)
Commons ChamberIt is a pleasure to follow my right hon. Friend the Member for Basingstoke (Maria Miller). Like her, I welcome the breadth of the Bill. I wish to focus on clauses 40 to 43 in part 2, which relate to cybercrime.
I do not usually speak in this House on foreign affairs, national security or organised crime. However, the cyber-security of our citizens and our country is hugely important and ranks alongside those more traditional spheres. In the words of The Economist:
“After land, sea, air and space, warfare has entered the fifth domain: cyberspace.”
The UK Government rightly already take these issues seriously. The 2010 national security strategy rated cyber-attacks as a tier 1 threat. That is why, despite a tight fiscal situation, they set £650 million aside over four years to develop the UK’s response. The cyber-strategy sets out four objectives: first, for the UK to tackle cybercrime and be one of the most secure places in the world to do business in cyberspace; secondly, for the UK to be more resilient against cyber-attacks and better able to protect our interests in cyberspace; thirdly, for the UK to have helped to shape an open, stable and vibrant cyberspace that the UK public can use safely, and which supports open societies; and fourthly, for the UK to have the cross-cutting knowledge, skills and capability it requires to underpin all of the above. It is that document that leads us here today through its commitment to reviewing existing legislation, for example the Computer Misuse Act 1990, and which led to the mention of this Bill in the Queen’s Speech.
I ought to mention that I held ministerial responsibility in this area. As a former Parliamentary Secretary to the Cabinet Office, I supported the Minister for the Cabinet Office and Paymaster General, my right hon. Friend the Member for Horsham (Mr Maude), in leading the national cyber-security programme. It is right to note in passing that it is correct to give that kind of cross-cutting leadership to the Cabinet Office, because in addition to everything the Minister here today is doing, she needs the co-operation of other Ministers and other Departments to keep us safe in the cyber-domain.
Cyber-security is perhaps in our minds owing to the attack on Sony late last year. Others have included the issue in their reviews of 2015: Luke Johnson, who floated Pizza Express in 1993, says that his big tip for 2015 is to get into cyber; US News, in its resolutions for 2015, argues that 2014 was the year that the hack went viral; and Huawei, a Chinese firm well known in the sector, continues to publish white papers, most recently in December, carrying the 100 things that its clients most need for their cyber-security. It is worth noting in passing that its papers are authorised by a former UK Government chief information officer. It is therefore timely to be looking today at the measures we need to better tackle cybercrime in Britain. Freedom from cybercrime is, needless to say, but one part of our cyber-security. The Bill is only one part perhaps of a whole framework of rights, responsibilities, freedoms and offences that one might argue we should debate to enable Britain to fulfil the four objectives: to be skilled, to be resilient and to be economically secure, but also open and free.
I have three points to make on the Bill. First, the most recent explicitly relevant legislation, the Computer Misuse Act 1990, is 25 years old. It is necessary to review and update any law after 25 years. Secondly, the UK needs to be able to make the national security and jurisdiction aspects contained in the clauses work effectively. Thirdly, there is the attitude that citizens need to take to their own cyber-security. Let me start with the first point.
Let us cast our minds back and ask what did not exist in 1990. I mentioned one of the entrepreneurs behind Pizza Express. Britain in 1990 had only a dozen Pizza Express restaurants, as opposed to the hundreds we see now. That shows how our offline economy and leisure habits have changed as much as those online. Sticking with leisure and recalling the film industry’s December hacking woes, think of the kind of technology we now see on screen. If you enjoyed any Pixar films over Christmas, Madam Deputy Speaker, recall that “Toy Story” was the first feature length computer animated film and was released in 1995. Moving on to communications, the world’s first smart phone, the IBM Simon, enjoyed its 20th anniversary last year—it went on sale in 1994. If we thought that one trend remained ahead of us, known as the internet of things and defined by Cisco internet business solutions groups as the moment in time when more things or objects are connected to the internet than are people, consider that the world passed that milestone in 2010. It stands to reason, therefore, that the 1990 law needs to be looked at: we ought to review it for the correct technical content; we ought to keep it under review for the appropriate freedoms, including today’s attitudes to data and ownership; and we ought to ensure it is future-proofed correctly. Today’s attitudes are not enough—tomorrow comes on pretty quickly—so we need to allow for frequent future updating in expectation of that fast change.
Computers make crime easier, faster and bigger—the same thing the internet has achieved in so many other areas of our lives—and that trend is going to continue. The president of the National Association of Data Protection Officers says:
“It’s the industrialisation of cyber-crime that’s the biggest challenge and in this area there are some menacing Mr Bigs who need to be faced down with greater risks to their personal liberty”.
Of course, a law that limits one person’s liberty limits another’s, and I do not underestimate the need to respect liberty. Sir Tim Berners-Lee argues that the worldwide web needs a Bill of Rights, which he says can only come about through communal decision, but that is a debate Parliament can have another day.
What should we look for today in the Bill? We ought to consider what prosecution can achieve. The hon. Member for Slough (Fiona Mactaggart), in her analysis of a different part of the Bill, rightly said that in many ways any prosecution was a failure, and it is true here, too, that to rely on law to enhance our security is in many ways to lock the stable door after the horse has bolted. We all expect our personal interests and critical national infrastructure to be strongly prepared, well protected and resilient. I welcome an updated criminal offence, but prosecution is after the fact. At best, it might be a strong deterrent, but nobody should expect it to form the only line of defence; we should expect those responsible for our national security to do a better job in the first place, rather than resorting to catching and prosecuting somebody who has caused the sort of serious damage mentioned in the Bill.
Various experts and commentators say the Bill will play
“an important role in helping to reduce the rates of cyber-attacks and deter criminal activity in this space… However, attribution continues to be one of the major difficulties… Therefore companies should not become complacent around cyber-security”.
Furthermore, they
“should be focusing on prevention over prosecution”
and should also
“ensure they have the ability and the processes in place to be able to act quickly if a breach occurs.”
The same goes for any organisation with responsibilities in this realm. I note in passing that the UK Centre for the Protection of National Infrastructure rightly explains that there are many other threats to our critical national infrastructure than merely cyber. We are right to focus on serious damage through cyber-attack, but it is not the only way someone could break a piece of CNI.
A technology and compliance lawyer adds a further warning:
“Internet crime is a global phenomenon and needs global co-operation. We need to be prepared to apply for extradition too to make them serve their sentence. This may be in part about that—to make sure foreign governments know we are serious to try and get greater co-operation across borders.”
I agree with that commentator on the importance of greater co-operation.
I want to make two small technical points. Section 17(6) of the Computer Misuse Act 1990 says that a computer is something that contains a program or data. Does the Minister think this is still a sufficient definition? Perhaps she could come back to me on that after the debate. Further to the point that my right hon. Friend the Member for Basingstoke raised, the Joint Committee on Human Rights took the view last October that the definition of “serious damage” may require revision, given that we are contemplating handing out life sentences. Will the Minister say a little more about that?
The UK needs to be able to make the national security and jurisdiction aspects in the Bill work. Does the Minister think the “linked to the UK” provisions are watertight? In particular, I have noted a discrepancy between what appears in lines 36 to 38 of page 36 and what is suggested in the explanatory notes. Explanatory notes are never to be taken on their own in themselves—they always say that very clearly—but is it possible for someone who is not a UK national who is affecting or intending to affect the UK, but not using a computer in the UK to do so, to walk away from this legislation? It seems to me that there is one small scenario left that may or may not be covered by the final paragraph (c) in clause 42(5).
Will the Minister clarify her views on whether the kind of attack on Sony before Christmas constitutes “serious damage” under this legislation, and perhaps, to be a little mischievous, on what she would do if she were in President Obama’s shoes, although that might be something for a later conversation? Will she describe what our own state is liable for under this legislation, considering that we have publicly promoted the existence of our own offensive cyber-capability? Finally, will the Minister confirm whether we are prepared to extradite to make these provisions work, and how she thinks this new law might have changed the situation of Gary McKinnon, for example, or someone in a similar position?
Let me turn to my third and final area of comment. I entirely support the Bill, and I raise just a few probing questions to deal with its various aspects. I have remarked that the tools we need to protect citizens from cybercrime are but one part of our broader cyber-security, and that the legislation is only one part of the fuller framework. I have mentioned what businesses and organisations need to do to protect themselves, but the final question is, of course, what the citizen should do to protect him or herself.
Get Safe Online—a good resource in this area—reminds us:
“There are a number of sensible and simple measures which you need to take in order to protect yourself against risks”,
and I refer hon. Members to that resource to do so. Taking these measures is important in one’s own home and also in the workplace. Indeed, no one who runs their own business should need a Member of Parliament to tell them how valuable is the online security of their own business, but what about people who work for someone else’s firm, and indeed the firms that make up the UK’s critical national infrastructure? Some argue that
“the biggest challenge at all levels in improving protection of the UK’s CNI is the security awareness of all the people who work”
for it. It is not only malice that can cause “serious damage”, but human error, incompetence and fatigue.
Let me provide some examples from the Transport Committee, on which I sit. First, in relation to malice, Edmund King, president of the Automobile Association, recently reminded us that modern cars can be connected to the internet 24 hours a day, and that he was concerned that hackers could control a car by attacking through its safety features. Secondly, we have heard in some detail on the Committee how and why the National Air Traffic Services system recently failed. We could argue that its evidence suggested that some failure is acceptable, as the argument has been put that when we have millions of lines of code, we cannot be expected to be sure of all of them. I read a recent paper that rather wonderfully talked about the attempts of
“either Murphy or Satan to interrupt the supply”.
You are looking very keen to interrupt me, Madam Deputy Speaker, so I shall finish. I have argued that legislation and law enforcement are only part of the picture. It is also incredibly important that we as individuals think about the risks that we undertake. We should think about all this in the products we use now, and all those we might use tomorrow. Just because someone has designed something cool, it does not mean that we as consumers have to buy it unthinkingly. Entrepreneurs themselves have to engage in the ethics of their own tech. We all want to live in a Britain that is skilled, resilient and economically secure, but also open and free. We all want the Mr Bigs of this online world taken down, which is why I support the Bill and its updating of old legislation.